1 / 51

Footprinting

Footprinting. FBI Misused Information-Gathering Power. Footprinting Flow. Reconnaissance. Reconnaissance refers to the preparatory phase where an attacker seeks to gather as much information as possible about a target of evaluation prior to launching an attack

kuniko
Download Presentation

Footprinting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Footprinting

  2. FBI Misused Information-Gathering Power

  3. Footprinting Flow

  4. Reconnaissance Reconnaissance refers to the preparatory phase where an attacker seeks to gather as much information as possible about a target of evaluation prior to launching an attack It involves network scanning, either external or internal Gaining Access Maintaining Access internal, without authorization

  5. Footprinting • Footprinting is the blueprint of the security profile of an organization, undertaken in a methodological manner • Footprinting is one of the three pre-attack Phases • An attacker spends 90% of the time in profiling an organization and another 10% in launching the attack • Footprinting results in a unique organization profile with respect to networks (Internet/intranet/extranet/wireless) and systems involved

  6. Footprinting Collection Areas

  7. Port Scanning

  8. Introduction to Port Scanning (1) • Port Scanning • Finds out which services a host computer offers • Identifies vulnerabilities • Scan all ports when testing, not just well-known ports • Open services can be used on attacks • Identify a vulnerable port via scanning • Then launch an exploit • E.g. ?

  9. Introduction to Port Scanning (2) • Port scanning programs report • Open ports • Closed ports • Filtered ports • Best-guess assessment of which OS is running • Discussion: closed port vs. filtered port

  10. TCP Flags • URG: TCP segment contains urgent data • ACK: TCP segment has a valid acknowledgment number field (set in all segments except the first segment with which the client establishes connection) • PSH: This flag means push function. • By means of this function, TCP allows a sending application to specify that the data must be pushed immediately. • When an application requests the TCP to push data, the TCP should send the data that has accumulated without waiting to fill the segment. TCP segments sent in such a way are marked by PSH flag. • RST: Reset the TCP connection • SYN: This flag means synchronize sequence numbers. • Source is beginning a new counting sequence. In other words, the TCP segment contains the sequence number of the first sent byte (ISN) • FIN: Finish and no more data from the sender. • Receiving a TCP segment with the FIN flag does not mean that transferring data in the opposite direction is not possible. • TCP is a fully duplex connection, the FIN flag will cause the closing of connection only in one direction.

  11. Types of Port Scans • SYN scan • Stealthy scan • Connect scan • Completes the three-way handshake • NULL scan • Packet flags are turned off • XMAS scan • FIN, PSH and URG flags are set

  12. Types of Port Scans (continued) • ACK scan • Used to get past a firewall • FIN scan • Closed port responds with an RST packet • UDP scan • Closed port responds with ICMP “Port Unreachable” message

  13. Port-Scanning Tools • Nmap • Genlist • Zenmap • Unicornscan • NetScanTools Pro 2004 • Nessus

  14. Nmap (1) • Nmap ("Network Mapper") • An open source tool for network exploration and security auditing. • Commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime

  15. Nmap (2) • Nmap can rapidly scan large networks, to determine: • what hosts are available on the network, • what services (application name and version) those hosts are offering, • what operating systems (and OS versions) they are running, • what type of packet filters/firewalls are in use, • And dozens of other characteristics …

  16. Nmap Example • nmap -sS -P0 -O -T Sneaky -p 445 -D 64.233.169.99 <ip_to_scan> • Stealth scan (-sS) which does not complete the TCP connection. This is fairly fast and unobtrusive. • The -P0 flag tells nmapNOt to ping the IP which adds to stealth. • The -T is a timing flag that can be set from Sneaky to Insane and determines the speed of packet generation. • The -p flag specifies the port or a port range. • The -D flag allows you to specify a number of decoys. • googlebot’s IP address is used as decoy to make nmap generate packets from your IP address and googlebots IP address. This has an effect of confusing the target.

  17. Genlist • Genlist is a program that returns a list of hosts that responding to ping probes. • This list can be used to perform an scan of these machines using Nmap. • Example: • Generate list of live hosts and save it to a file called “list”: genlist -s 216.109.112.\* > list • Use Nmap to scan that list: nmap -v -iL list

  18. Zenmap • Zenmap is the official Nmap Security Scanner GUI. • a multi-platform (Linux, Windows, Mac OS X, BSD, etc.) free and open source application • Make Nmap easy for beginners to use • Also providing advanced features for experienced Nmap users.

  19. Main Features of Zenmap • Frequently used scans can be saved as profiles to make them easy to run repeatedly. • A command creator allows interactive creation of Nmap command lines. • Scan results can be saved in a searchable database and viewed later.

  20. Zenmap Profile Editor

  21. Zenmap Scan Results

  22. Advantages of Zenmap over plain Nmap • Results viewing • arrange its display to show all ports on a host or all hosts running a particular service. • The results of several scans may be combined together and viewed at once. • Comparison • graphically show the differences between two scans. • scans run on different days, scans of two different hosts, scans of the same hosts with different options, or any other combination. • Convenience • keeps track of scan results until you choose to throw them away. • Repeatability • command profiles make it easy to run the exact same scan more than once.

  23. Unicornscan • Unicornscan is a scalable port scannerdeveloped in 2004 • Uses CPU specific instructions to track the packets per second (PPS) you specify as closely as possible. • E.g., From a single Pentium system, it is typical to be able to generate up to 25,000 PPS or more • Ideal for conducting tests on large networks

  24. Unicornscan features • UDP scan is optimized for fast scan • UDP scanning is an unreliable method of discovering live system on a system. • Scans 65,535 ports in three to seven seconds • Unicornscan can also handles port scanning using TCP, ICMP, and IP

  25. Example 1 UDP-Protocol-Specific-Payload Based Scanning • # unicornscan -r200 -mU -I 192.168.0.0/24:53 • Option Description • -r200 200 Packets Per Second • -mU Scan Mode UDP • -I Immediately display results to the screen as received • :53 Port 53

  26. Example 2: TCP Scanning • # unicornscan -r500 -mT www.yahoo.com/29:80,443 • Option Description • -r500 200 Packets Per Second • -mT Scan Mode TCP (TCP is default mode if not otherwise specified) • :80,443 Ports 80 and 443

  27. Unicornscan TCP scanning Flags • Common Flag schemes: • a SYN scan -mT • an ACK scan -mTsA • an Fin scan -mTsF • a Null scan -mTs • a nmap style Xmas scan -mTsFPU • a scan with all options on -mTFSRPAUEC

  28. NetScanTools Pro 2004 • NetScanTools Pro is a robust easy-to-use commercial tool • Supported OSs: *NIX, Windows • Types of tests • Database vulnerabilities • E-mail account vulnerabilities • DHCP server discovery • IP packets and name servers • OS fingerprinting

  29. Nessus • Nessus is capable of: • high speed discovery • Configuration auditing • Asset profiling • Sensitive data discovery and vulnerability analysis • Nessus uses a client/server technology, Server • Any *NIX platform • Client • Can be UNIX or Windows • Conducts testing from different locations

  30. Nessus security plug-ins • Nessus security plug-in is a security test program (script) that can be selected from the client interface. • Nessus can update security checks plug-ins • Plug-ins can find vulnerabilities associated with identified services

  31. Nessus

  32. Objectives • Port scanning • Port-scanning tools • Ping sweeps

  33. Ping Sweeps • Ping sweeps identify which IP addresses belong to active hosts • Problems of Ping Sweep • Computers that are shut down cannot respond • Networks may be configured to block ICMP Echo Requests • Firewalls may filter out ICMP traffic

  34. Ping • Ping uses the Internet Control Message Protocol (ICMP) • send out ICMP requests (the ICMP ECHO_REQUEST) and then waits for a valid reply (an ICMP ECHO_RESPONSE) • Tells you that the destination is reachable, and the route between your computer and another one (by using the -R option).

  35. FPing • FPing (Fast Ping) • similar to ping program, sends out ICMP Echo Request packets and reports on host reachability, packet loss, and round trip delay. • Unlike ping program • fping has the ability to send out ICMP packets to multiple IP addresses simultaneously • fping is meant to be used in scripts and its output is easy to parse.

  36. Enter IP addresses in Fping • manually enter multiple IP addresses at a shell • # fping -g 193.145.85.201 193.145.85.220 • # fping -g 192.168.1.0/24 • Input file with addresses • # fping -f AddressFile

  37. Fping options • Interval between sending ping packet • -i 30 • The count of pings to send to each target • -c 2 • Number of retries • -r 3 • Amount of ping data to send • -b 100 • Etc.

  38. Hping • Hping is command-line oriented TCP/IP packet assembler/analyzer • Allows users to fragment and manipulate IP packets • is used to bypass filtering devices • supports TCP, UDP, ICMP and RAW-IP protocols

  39. Hping Craft IP Packets • Crafting packets helps you obtain more information about a service • Source IP address • Destination IP address • Flags: SYN, ACK, FIN …

  40. Hping as a port scanner (1) • Crafting TCP packets is the default behavior of HPING. • By specifying the TCP flags, a destination port and a target IP address, one can easily construct TCP packets. • SYN scan or Stealth scan • An open port is indicated by a SA return packet, closed ports by a RA • E.g. 1 • # hping -I eth0 -S 192.168.10.1 -p 80

  41. Hping as a port scanner (2) • A nice feature is the ++, which will increase the destination port in the packets by one. • e.g. 2 • # hping -I eth0 -S 192.168.10.1 -p ++79 | grep SA • All known NMAP scanning techniques can be easily reproduced

  42. Idle scanning (1) • Idle scanning is a technique to port scan a remote system fully anonymous. • Three hosts in idle scaaning • The Attacker runs two sessions of hping • The Server is the machine to be scanned • The Silent host is a machine that is not busy generating packets • has a predictable increase in the IP header IDENTIFICATION field.

  43. Idle scanning (2) • A suitable silent host can be found by running the following hping probe. • # hping -I eth0 -SA 192.168.10.1 • HPING 192.168.10.1 (eth0 192.168.10.1): SA set, 40 headers + 0 data bytes • len=46 ip=192.168.10.1 flags=R seq=0 ttl=255 id=18106 win=0 rtt=0.4 ms • len=46 ip=192.168.10.1 flags=R seq=1 ttl=255 id=18107 win=0 rtt=0.4 ms • len=46 ip=192.168.10.1 flags=R seq=2 ttl=255 id=18108 win=0 rtt=0.4 ms • ...

  44. Idle scanning procedure (1)

  45. Idle scanning procedure (2) • The attacker runs a continuous probe against the silent host, and the attacker scans the server, spoofed with the IP address of the silent host. • Step 2, a spoofed scan of the server by the attacker • # hping -I eth0 -a 192.168.10.1 -S 192.168.10.33 -p ++20 • HPING 192.168.10.33 (eth0 192.168.10.33): S set, 40 headers + 0 data bytes

  46. Idle scanning procedure (3) • Step 1, 4: a continuous probe from the attacker to the Silent host to • monitor the IP IDENTIFICATION field: • # hping -I eth0 -r -S 192.168.10.1 -p 2000 • HPING 192.168.10.1 (eth0 192.168.10.1): S set, 40 headers + 0 data • bytes • .. • len=46 ip=192.168.10.1 flags=RA seq=86 ttl=255 id=+1 win=0 rtt=1.6 ms • len=46 ip=192.168.10.1 flags=RA seq=87 ttl=255 id=+2 win=0 rtt=1.6 ms • (port 21) • len=46 ip=192.168.10.1 flags=RA seq=88 ttl=255 id=+1 win=0 rtt=1.8 ms • len=46 ip=192.168.10.1 flags=RA seq=89 ttl=255 id=+1 win=0 rtt=1.7 ms • len=46 ip=192.168.10.1 flags=RA seq=90 ttl=255 id=+1 win=0 rtt=1.8 ms • len=46 ip=192.168.10.1 flags=RA seq=91 ttl=255 id=+2 win=0 rtt=1.4 ms • (port 25)

  47. Why does Idle scanning work? • Scenario 1: • If the attacker scans an open port at the server with a SYN packet, the server will respond with a SYN/ACK packet to the silent host. • The Silent host will react by sending a RESET packet to the server, and will increase the IP_ID by one • The next probe the attacker sends will have the next IP_ID in return • 2 units higher then the previous probe.

  48. Why does Idle scanning work? • Scenario 2: • If the attacker sends a SYN packet to a closed port of the server • The server sends a RST to the silent host, which does not imply sending any packet from the silent host. • IP_ID is not increased, since this RST will be discarded by the silent host.

  49. SYN ATTACK by Hping (1) • Example: against an IIS 5.0 W2Ksp4 Professional machine. • To avoid sending a TCP reset packet from the attacking machine, use a spoofed IP address with the -a switch. • To increase the pps rate, use the -u switch to indicate the interval • E.g., -i u1000, means every 1000 microseconds. • # hping -I eth0 -a 192.168.10.99 -S 192.168.10.33 -p 80 -i u1000

More Related